Tagged Questions

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key.

After the introduction of McBits, I was interested what security notions are neccessary for IND-CCA2 security of integrated encryption schemes (IES, following the key encapsulation mechanism / data ...

I think most of us know the notion Shoup introduced of KEM/DEM (Key encryption material / data encryption material) which is used for example by the (famous) ECIES, where the key is the hash of some ...

We all know that textbook ElGamal falls due to chosen ciphertext attacks, because of its multiplicative homomorphic property ($E(A)*E(B)=E(AB)$).
However these attacks require the ciphertext ($E(A)$ ...

There are many schemes that can advertise themselves with certain security notions, usually IND-CPA or IND-CCA2, for example plain ElGamal has IND-CPA security but doesn't provide IND-CCA security.
...

I was trying to understand Bleichenbacher’s CCA attack and thought of work it out in python. Can some one throw some light on the the logic behind the oracle used to check PKCS conformation? Will a ...

Is it possible to make ElGamal IND-CCA2 using OAEP or OAEP+? (OAEP+ from: "OAEP Reconsiderd" by Shoup)
The reason I ask is that I recently answered this question and it came to my mind that OAEP or ...

Do you mind if you give me any hints, links or ideas about how to improve the security of double regular encryption and decryption, by using CPA game and CCA game, it sounds interesting question, and ...

Propose a symmetric key based crypto-system for implementing a secure email system. This system is based on AES and CCA secure.
Suppose that you have to encrypt a large message and that this message ...

I have been reading up on IND-CCA2 security and was wondering: Are there efficient IND-CCA2 secure schemes that do not require plaintext awareness? I'm guessing yes - could someone point me to these ...

Is it possible to modify a homomorphic encryption scheme so that it can be CCA2 secure?
From the definition of a homomorphic scheme, it seems that it is malleable, which would result in lack of CCA2 ...

Say we have an encryption algorithm that encrypts data blocks of 128 bits size, and makes them cipher blocks $C = E(P)$ without chaining.
Also assume there is a linearity rule for XOR: For every pair ...

At the beginning of OCB's white paper [pdf], OCB is compared to other modes, and non-malleability is one of the properties advertised.
At the end of the paper, it is mentioned the MAC length can be ...

I've studied that the Bleichenbacher's CCA attack on PKCS#1 v1.5. is a base to many versions of attacks in the area.
I'm trying to understand that attack, but every explanation I saw starts with the ...

Consider the Blum-Goldwasser encryption scheme as described on Wikipedia. I was told that it was not IND-CCA-2 secure.
I heard there was malleabilty, probably it has to do with XOR-ing. But I do not ...

Suppose that $S=(E,D)$ is an additively homomorphic encryption scheme. Now I want to design a protocol $P$ such that given inputs $x_1,x_2,..,x_n$, the adversary $A$ (who can decrypt) can only learn ...

RSA-OAEP is IND-CCA2 secure (indistinguishable under an adaptive chosen ciphertext attack). Does it also have the INT-CTXT (integrity of ciphertext) and INT-PTXT (integrity of plaintext) properties?
...

This is an exam question an i have no idea how to recover the message m.
John wants to send an encrypted message to mary who has a pair of RSA keys, However, John does not know Mary's public key and ...

I was wondering why the Fujisaki-Okamoto construction (or one of its variants) is not (at least commonly) used with RSA to achieve CCA2 security? Does anyone know of any speed comparisons between RSA ...